Registry Privacy Statement

INTRODUCTION

About

Afilias provides reliable, secure management of Internet top-level domains. As the registry operator for top-level domains (TLDs), Afilias maintains the responsibility for the operation of each TLD, including maintaining a registry of the domain names within each TLD. In connection with generic top-level domains (gTLDs), Afilias serves as the registry operator for these gTLDs under contracts with the Internet Corporation for Assigned Names and Numbers (ICANN), a not-for-profit private sector organization that is charged with coordinating and ensuring the stable and secure operation of the Internet’s unique identifier systems (https://www.icann.org). ​ ​ In connection with country-code top-level domains (ccTLDs), Afilias has entered into separate legal arrangement with the ccTLD managers for the provision of these services.

Afilias is made up of Afilias Limited and its subsidiaries: Afilias Technologies Limited, Monolith Registry, LLC, and other registry operators (the “Afilias Group”). This privacy notice is issued on behalf of the Afilias Group so when we mention “Afilias”, “we”, “us” or “our”, we are referring to the relevant company in the Afilias Group responsible for your data.

General

Afilias is committed to processing your personal data in a fair and lawful manner. This Privacy Statement aims to provide information about Afilias’ collection and processing of personal data.

Scope

This Privacy Statement relates to our domain name registry system only. It is intended to outline the information we collect, how it is stored, used, shared, and protected, and your choices regarding use, access, and correction of your information.

It is important that you read this Privacy Statement together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data. This privacy notice supplements other notices and is not intended to override them.

"Personal Data" means information relating to an identified or identifiable natural person. "Data Subject" means the individual to whom any given Personal Data covered by this Privacy Statement refers.

11 December 2019 Page 1 of 13

WHAT INFORMATION WE COLLECT

Introduction

We must collect and process some information in order to operate our registry services or provide support for registrars.

When you register a domain name, the registrar collects information in accordance with requirements under their ICANN accreditation contract, including your name, address, telephone number and other personal data. Data may be relating to you (the registrant) or other persons nominated by you.

Additionally, registrar personnel must provide personal contact data during accreditation for TLDs and when communicating with registry customer support.

Types Collected in the Previous Twelve Months

All domain names registered in our system may be associated with the following information, and registrars may have additional or special policies or requirements:

Registered Name Holder (or Registrant): the legal owner of the domain name.

Other Contacts: the entity or person authorized by the registrant to interact with the registrar on behalf of the registrant.

Sponsoring registrar: The registrar authorized by the registrant or reseller to register and manage the domain.

Nameservers: the domain nameservers to which the domain must be delegated in the DNS in order to function.

The following information may also be provided:

DNS Security information: public information published in the DNS to support the secure operation of the domain.

The Registrant and Other Contacts may include the following information:

A Unique ID for the contact, assigned by the Registry (may be referenced as “ROID”) A Unique ID for the contact, assigned by the Registrar Contact Name Organisation* Postal address information Communication information (e.g. Phone, Fax, Email)

11 December 2019 Page 2 of 13

Afilias also collects and processes:

Certain data elements relating to the traffic accessing its system, including Internet Protocol Addresses (IP Addresses)

Customer Relationship Management (CRM) data from our registrars for our use in connection with our services

DNS log data created in the course of providing our services

To the extent that such data is capable of being used to identify (alone or in conjunction with other data, an individual), it is treated as Personal Data under this Privacy Statement. How Collected

Much of what we collect is provided directly by you during the process of registering a domain name from an ICANN accredited registrar pursuant to a domain name purchase contract. Afilias receives domain name registrations, and the associated personal data provided upon registration of a domain name by registrants, from ICANN accredited registrars. The registrar provides this information to Afilias when the domain is registered.

Registrars

Like most other domain name registries, all domain names registered in the Afilias system are registered via accredited third parties called registrars. These registrars are retailers or resellers who register domain names on behalf of their customers, and typically provide additional services (such as web hosting, email, and TLS/SSL certificates).

In connection with ICANN administered gTLDs, requirements are outlined in both the registry and registrar contracts with ICANN and the subsequent required agreements between registries and registrars. Because of these relationships outlined by contractual requirements ICANN, registries, and registrars are often considered joint controllers for information collected, stored, transferred, and processed in line with our Registry Agreements with ICANN. (https://www.icann.org/resources/pages/registries/registries-agreements-en) ​ ​ In connection with ccTLDs, requirements concerning the collection and processing of Personal Data are outlined in the respective contracts between registries, registrars, and registrants.

Please note that each registrar has its own policies and procedures and you should review a registrar’s privacy policy and procedures prior to your purchase of a domain name. Registrars are responsible for collecting and transferring registration data, presenting each registrant with their privacy policies, that of their registry partners, and information on the mechanisms for access and correction of their data.

11 December 2019 Page 3 of 13

Registrars have broad powers to register, delete, and modify the domain names that are registered for their customers. Registrars can also amend the above information at any time during the lifetime of the domain registration.

Other

Afilias also stores the following information:

The creation date of the domain, The expiry date of the domain, Status codes used to facilitate management of the domain lifecycle, An authorisation code used for transfers.

Because we do not directly interact with registrants, we do not receive or store any of the following information:

The IP address of the registrar’s customer, Any financial or payment information, Any passwords or other multi-factor authentication information used by the registrant to access the registrar’s services.

Registry services are not intended for children, and we do not knowingly collect data relating to children.

HOW WE USE INFORMATION

Commitment

Afilias will make all reasonable efforts to ensure that Personal Data is processed only in relation to the purposes set out below including to fulfill Afilias’ contracts with ICANN. We will make all reasonable efforts to ensure that personal information is not further processed in a way incompatible with the purpose for which it was collected or received.

Registry

We use this data to provide registry services, to enforce our policies and to prevent, detect, and respond to malicious behavior and/or misuse of our services.

DNS

We use the domain name, name servers, and DNS security information (if any) to publish DNS zone files to facilitate the functioning of the domains. This information can be queried through

11 December 2019 Page 4 of 13

our public DNS servers. In connection with gTLDs, third parties can also access copies of the zone files after signing an agreement, or via ICANN’s Centralized Zone Data Service (CZDS) (https://czds.icann.org/) ​ ​ In providing the DNS services, Afilias collects and processes DNS queries, which includes both source and destination IP Address information, time and date stamps, and other technical information. We use this information to provide connectivity and routing, to identify and mitigate malicious and fraudulent activity, and to enhance our services. Afilias makes use of traffic data for technical purposes to enhance security and stability in its operations.

Registration Data Directory Service (RDDS)

The RDDS is a standard service operated by all domain name registries as required by ICANN. We may use Personal Data when dealing with complaints of trademark or copyright infringement or mitigating malicious and fraudulent activity.

Afilias uses Personal Data and other information collected in the course of providing registry services to: comply with contractual requirements, ICANN policy requirements, law and regulation; investigate and respond to complaints of malicious and fraudulent activity; and enforce registry policies related to, without limitation, Personal Data accuracy, the use of proxy and/or privacy registration services, limitations on registration, and prohibitions against the use of domain names for other activity that is contrary to applicable law.

Analysing Domain Name Usage

So we can monitor usage of domains, Afilias collects data on whether domain names resolve, where they are hosted, whether they are used for email and whether a website is in place. As part of this, we may collect information about the landing page and About Us or Contact Us pages of a website so that we can categorise the website type (e.g. blog, parking page, etc). We may also check whether it has a TLS/SSL certificate and whether there is a matching domain name in a different top-level domain. Any information gathered is used to help Afilias better understand how domains are used by registrants. Afilias may from time to time collect and aggregate demographic data for statistical analysis and other research but does not disclose personally identifiable information in that process.

Processing Purposes

We have set out below, in a table format, a description of all the ways we plan to use your Personal Data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

11 December 2019 Page 5 of 13

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest

To register you as a new customer (a) Identity Performance of a contract with (b) Contact you

To process and deliver your order (a) Identity (a) Performance of a contract (including renewals) including: (b) Contact with you (a) Managing payments, fees and (c) Financial (b) Necessary for our legitimate charges (d) Transaction interests (to recover debts due (b) Collecting and recovering (e) Communications to us) money owed to us

To manage the relationship with (a) Identity (a) Performance of a contract you, which will include: (b) Contact with you (a) Notifying you about changes to (c) Profile (b) Necessary to comply with a our terms or privacy policy (d) Communications legal obligation (d) Your use of our (e) Usage (c) Necessary for our legitimate products/services (including interests (to keep our records facilitating and supporting such updated and to study how use) customers use our products/services, to facilitate the use of our products/services, to develop them and grow our business)

To use data analytics to improve (a) Technical Necessary for our legitimate our products/services, customer (b) Usage interests (to define types of relationships and experiences customers for our products and services and to develop our business and to inform our marketing strategy)

To administer and protect our (a) Identity (a) Necessary for our legitimate business including troubleshooting, (b) Contact interests (for running our data analysis, testing, system (c) Technical business, provision of maintenance, support, reporting administration and IT services, and hosting of data) network security, to prevent fraud and in the context of a business reorganization or group restructuring exercise)

11 December 2019 Page 6 of 13

(b) Necessary to comply with a legal obligation

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Most commonly, we will use your Personal Data in the following circumstances:

Where it is necessary for the purposes of our legitimate interests or those of a third party (e.g., for the provision of our services or products), and your interests and fundamental rights and freedoms do not override our legitimate interests.

Where we need to perform a contract we have entered into with you or in order to take steps at your request prior to entering into a contract.

Where we need to comply with our legal obligations.

Compliance with Legal Obligations

We may be required to use and retain Personal Data for legal and compliance reasons, such as the prevention, detection, or investigation of an alleged crime. We may also use Personal Data to meet our internal and external audit requirements, and as we otherwise believe to be necessary or appropriate: (a) under applicable law, which may include laws outside your country of residence; (b) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence; (c) to enforce or apply our contractual rights; and (d) to otherwise protect our rights, privacy, safety, or property, or those of other persons.

HOW INFORMATION IS SHARED

We may disclose Personal Data for the purposes set out in the table above. Below are the parties with whom we may share Personal Data and why.

Registration Data Directory Service (RDDS)

Afilias is required by our ICANN agreements to maintain a public RDDS lookup for domain names in our TLDs.

Afilias makes personal data contained in our system available upon request to third parties with a legitimate and proportionate interest in using the data for non-marketing purposes such as consumer protection, crime detection, intellectual property protection, etc.

11 December 2019 Page 7 of 13

The RDDS is used by third parties to obtain information about registered domain names, including:

a. Supporting the security and stability of the Internet by providing contact points for network operators and administrators, including ISPs, and certified computer incident response teams;

b. Determining the registration status of domain names;

c. Assisting law enforcement authorities in investigations for enforcing national and international laws;

d. Assisting in combating malicious and fraudulent uses of information communication technology;

e. Facilitating inquiries and subsequent steps to conduct trademark research and to help counter intellectual property infringement;

f. Contributing to user confidence in the Internet by helping users identify persons or entities responsible for content and services online; and

g. Assisting businesses, other organizations and users in combating fraud, complying with relevant laws and safeguarding the interests of the public.

Data Escrow

In connection with gTLDs, the policies of ICANN (the Internet Corporation for Assigned Names and Numbers) mandate that we provide copies of registration data to Data Escrow Agents (DEAs) certified by ICANN. These DEAs hold copies of the data to provide protection against the unlikely event of registry or registrar failure or loss. They are not authorized to process the data in any other way. In the event of a registry, or registry technical failure, the securely held data will be used to ensure the continued functionality of registered domain names. This backup mechanism in case of failure is a protective measure that ensures the continued stable and secure operation of the DNS.

Deposits of registration data are encrypted and digitally signed and transmitted securely to the DEAs, who, after validating them, store them securely and will not release the data except under very limited circumstances. More information about the Registry Data Escrow (RDE) program may be found at: https://newgtlds.icann.org/en/applicants/data-escrow. ​ ​ In connection with ccTLDs, Afilias follows similar technical procedures with DEAs, however, ICANN does not have a legal right to the escrow files.

11 December 2019 Page 8 of 13

International Transfer

We may transfer and store Personal Data outside the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who work for one of our suppliers. Such staff may be engaged in, among other things, the processing or fulfilment of applications, and the provision of support services. When we transfer your information to recipients in other countries, we will comply with applicable legal requirements providing adequate protection for the transfer of Personal Data.

Within Afilias, Personal Data will be made available to Afilias employees around the world if necessary for the provision of our products and services, e.g., account administration, sales and marketing, customer and technical support, and business and product development. All of our employees and contractors are required to follow our data privacy and security policies when handling Personal Data.

Third Parties and Service Providers

In order to fulfil the purposes set out above, we may share your Personal Data third parties, but we have not and do not sell your Personal Data. Our third-party service providers are not permitted to share or use Personal Data we make available to them for any purpose other than to provide services to us. We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We use third-party service providers located around the world, including outside the EU to serve the needs of our business, workforce, and customers. Personal Data will be made available to these parties only when necessary to fulfill the services they provide to us, such as software, system, and platform support, including cloud services; data analytics; and order fulfillment and delivery. We take appropriate steps to ensure that Personal Data is processed, secured, and transferred according to applicable law.

Aggregated Data

We collect, use and share aggregated statistical or demographic data. Aggregated data may be derived from your Personal Data but is not considered Personal Data in law as this data does not directly or indirectly reveal your identity.

Legal Requests

In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including: to meet national security or law enforcement requirements; to identify and respond to cybersecurity threats; and to comply with national or foreign laws or to respond to lawful requests and legal process in national or foreign civil, criminal or investigative matters.

11 December 2019 Page 9 of 13

HOW INFORMATION IS STORED

Location

Afilias is a global organization, and your Personal Data may be stored and processed outside of your country of residence. Afilias has networks, databases, servers, systems, support, help desks and offices located around the world, including outside the European Union. We take steps to ensure that the information we collect is processed according to this Privacy Statement and the requirements of applicable law wherever the data is located.

Retention

We will only retain your Personal Data in identifiable form for as long as needed for the purposes for which it is gathered and processed. When we no longer need Personal Data, we will anonymize, securely delete or destroy it.

When a domain name is deleted, any contact information associated with the domain will also be deleted if the records are no longer needed for other domains in the database. This also occurs if a domain is updated to use different contact information (such as when a domain changes ownership).

HOW INFORMATION IS PROTECTED

Afilias has put in place technical and organizational measures to protect Personal Data covered by this Privacy Statement from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. We have put in place procedures to deal with any suspected Personal Data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Afilias has contracts with registrars that require that they ensure that their connection to our registry system is secure, and that all data exchanged between their system and ours is protected. However, Afilias cannot ensure or guarantee the security of registrars’ systems.

Domain name registration information is stored in databases that are hosted in secure colocation facilities or cloud service providers and protected by enterprise-grade firewalls and an Information Security Management System. In addition, Afilias limits access to Personal Data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your Personal Data on our instructions and are subject to a duty of confidentiality. Our security procedures are subject to at least an annual SOC 1 Type II audit by an internationally recognized accounting firm.

11 December 2019 Page 10 of 13

Backups

We take regular backups of all data in our system to ensure continuity of service.

Registration Data Directory Service (RDDS)

Afilias prohibits the use of data published via RDDS (1) except in compliance with applicable law; (2) to allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via direct mail, electronic mail, or by telephone; or (3) to enable high volume, automated, electronic processes that interact with our domain name registry system. We operate a number of anti-abuse mechanisms to facilitate identification of and limits on prohibited use.

DATA PROTECTION RIGHTS

Afilias is subject to the provisions of the General Data Protection Regulation (GDPR), a regulation under EU law, and to the California Consumer Privacy Act (CCPA) in the US. Afilias honors confirmation, access, correction, objection, erasure, and other rights of Data Subjects under the GDPR, if you are resident in the European Economic Area, or under the CCPA, if you are a resident in the US State of California.

The GDPR and CCPA give individuals rights regarding the processing of their Personal Data including accessing, sharing and storing of their data. Any organisation that does business with EU residents is subject to the GDPR, even if it is based outside of the EU. Certain organisations that do business with California residents are subject to the CCPA, even if it is based outside of California. Article 5 of the GDPR provides for some key principles, relevant to the CCPA and which have guided the development of this policy, stating that Personal Data must be:

(a) Processed lawfully, fairly and in a transparent manner;

(b) Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible;

(c) Adequate, relevant and limited to what is necessary;

(d) Accurate and where necessary kept up to date;

(e) Kept in a form that permits identification of personal data for no longer than is necessary for the purpose for which the personal data are processed;

(f) Processed in a manner that ensures appropriate security of the personal data to maintain integrity and confidentiality of the data;

11 December 2019 Page 11 of 13

Under certain circumstances, if you are a natural living person, you have rights in relation to your personal data, which include the following:

You may request a copy of your Personal Data or request that a copy is sent to a third party. If you have any questions about a particular domain-name registration, you should begin by contacting the registrar of record.

You may request that your Personal Data, such as your address, is amended or corrected. If you are a domain name registrant and wish to update your domain account information, you should do so through your sponsoring registrar. Except for certain extraordinary circumstances, Afilias alters a record in the registry only at the request of the relevant and authorized registrar.

You may request the transfer of your Personal Data to a third party. If you wish to transfer domain names to another registrar, you must do so through the registrar you wish to transfer your domains to.

You may also request, in certain cases, that we restrict processing of your Personal Data. You have the right to object to certain types of processing of Personal Data. You also have the right to object to receiving direct marketing at any time.

You have the right to request deletion of your Personal Data; however, this is not always possible due to legal requirements and other obligations and factors.

You have the right to withdraw consent at any time where Afilias is processing your Personal Data on the basis that you have consented to such processing. Once we have received written notification that you have withdrawn your consent, we will no longer process your Personal Data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

You have the right to not be discriminated against (e.g. pay an unequal price) because of the exercise of your rights.

Should you wish to exercise any of these rights please contact us via email at [email protected], or via mail at Afilias Limited, c/o Data Protection Office, 4th Floor, International House, 3 Harbourmaster Place, IFSC, Dublin 1, Ireland.

Authentication

We may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

11 December 2019 Page 12 of 13

Fees

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Timing

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaints

If you are not satisfied by our actions, you can seek recourse through our internal complaints procedure. Please contact us using the points of contact above. If you are still not satisfied with how Afilias manages your personal information, you have the right to lodge a complaint to a data protection regulator. A list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. ​ UPDATES

This Privacy Statement may change from time to time. This version was last updated on 11 December 2019.

11 December 2019 Page 13 of 13